App-ID Cache Poisoning

An evasion technique that takes advantage of the App-ID cache function has recently been published. In certain circumstances, a knowledgeable user can bypass security policy that restricts the use of certain applications by sending numerous specially crafted requests over the network in order to poison the firewall’s App-ID cache.  This can result in the use of a blocked application for a period of time. If the App-ID cache pollution evasion technique is a potential problem for your network, we recommend using one or both of the mitigation steps noted below while we further enhance the App-ID cache feature to resist all possible pollution techniques. (Ref #47195)
This issue affects the ability of the firewall to block certain applications when specially crafted requests are passed through the firewall.
This issue affects All versions of PAN-OS 5.0.1 and earlier.

Work around:
Upgrade to the available updates for the 5.0, 4.1, and 4.0 PAN-OS releases. This update changes the way the App-ID cache is used to prevent App-ID cache poisoning.

Additionally, Palo Alto Networks recommends using the “application-default” or specific ports in the service field of the security policies. This prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Many of the evasion variants observed using the App-ID cache pollution would have failed if “application-default” had been used in the security policies. All security rules with “any” in the service field should be double-checked and in most cases, should be modified to use a specific port or “application-default”. Note that the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.